Data Recovery in the Age of Ransomware

Earlier this year, the world recognized World Backup Day (WBD) as a reminder to everyone that data is important and has to be protected. As part of the WBD recognition, Barracuda ran a series of blog posts on the reasons why companies lose data even when they do almost everything right.

As a follow up to our WBD activities, Barracuda conducted a survey of general technologists whose responsibilities include data protection and recovery. To be blunt, some of these results are alarming. In this article, we are going to run through the results, explain what they mean, and take a look at how to resolve these issues of concern.

Some victims have no choice other than to pay the ransom or lose their data. This is an unfortunate situation, because even if the ransom is a small amount, there are a number of problems with this course of action:

Criminals know you are willing to pay a ransom and are more likely to target you again

There is no way to know that the criminals will or can decrypt your data

Decryption might not work properly and you may lose data anyway

Law enforcement agencies and other authorities discourage rewarding the criminal by paying the ransom

You can leave your data decryption and recovery up to chance, or deploy a comprehensive strategy before the attack.

Data Protection and Recovery

There are a number of definitions for “data protection,” but the common theme is that it requires more than running a backup. Proper data protection is included in the security planning: it includes business continuity and disaster recovery planning, as well as the many security practices involved in preventing unauthorized access. The Barracuda survey focused on data recovery, which is ultimately what system administrators are trying to provide for their companies. Comprehensive data recovery involves data availability and data accessibility at all times.

Availability vs Accessibility

Let's start with a quick overview of what these are. When we talk about the availability of a data backup, we're talking about the data that is stored as a backup. In the case of a tape-based or a disk-based system, the data that is backed-up is available on the tape or on the disk.

Data accessibility refers to how easily it can be accessed for recovery. In our examples above, the data is not accessible unless the tape or disk is with a compatible system. Accessibility for that system may be close to 100% for an administrator in a server room, but may be reduced to zero while the administrator is off-site or away from a designated computer. Meanwhile, the availability of the data remains the same.

When questioned on the importance of availability and accessibility, 70.3% of respondents say that these two are equally important. This indicates that our respondents understand the value of the data as well as the value of recovering the data quickly, possibly from a remote location or even a mobile device.

Protecting Multiple Locations

Perhaps one of the reasons that so many respondents value accessibility as highly as availability is that 53.4% are responsible for data recovery in more than one location. That means that the majority of the respondents are working remotely at least some of the time. Their data recovery systems have to be accessible from more than one location and probably by more than one method.

Another point to consider is that it's good business to test the company resources. If the company has invested in the technology and planning to protect the data, then these things should be tested on a regular basis. User files change in value, applications are added or replaced, data is moved … these are all reasons to be testing backups more than once per year. Perhaps an application upgrade uses a new database instead of the old flat files. Perhaps a new application was never added to the data protection plan.

The Microsoft Recycle Bin is a nice feature, but it's job is to help the organization safeguard against accidental data loss. It's not meant to be a data recovery solution. It doesn't offer the features necessary to protect Exchange, Sharepoint, OneDrive, and the other services. Default retention times are not standard across services, so administrators may not even have the minimal protection that they expected. Data is non-recoverable once it is deleted or ages out of the Recycle Bin. Companies that have to work within compliance frameworks and liability requirements may find that the native Microsoft tools do not meet the regulatory standards.

What Next?

If you find yourself in one of the scenarios that we identified as “bad news,” don't worry too much. These are things that can be fixed quickly, and then improved upon as you go along. You can start right now by evaluating your current data protection and recovery plan. Do you have one? Who is responsible for the deployment and management of the plan? Is the plan being tested? Are there any gaps between your recovery objectives and the capabilities of your data recovery solutions?

One of the most important questions for you to consider is whether your data protection and recovery plans are part of your security strategy? If you work in an environment where data protection is separate from security, it's time to bring those two functions together. In the age of ransomware, they cannot be separated.